Utility
Active Directory domain controllers out of sync
May 1, 2011
We ran into a problem with one of our domain controllers that was not connected for an extended period of time where it could not sync changes properly when available again. There is a solution from Microsoft to resolve this issue.
We have repeated the knowledge base article here just in case it is not available on Microsoft’s site. The original article can be found here
Microsoft’s Article is shown here:
This step-by-step article describes how to use Netdom.exe to reset machine account passwords of a domain controller in Windows Server 2008 R2, in Windows Server 2008, or in Windows Server 2003.
Each Windows-based computer maintains a machine account password history that contains the current and previous passwords that are used for the account. When two computers try to authenticate with each other and a change to the current password is not yet received, Windows relies on the previous password. If the sequence of password changes exceeds two changes, the computers involved may not be able to communicate, and you may receive error messages. For example, you may receive “Access Denied” error messages when Active Directory replication occurs.
This behavior also applies to replication between domain controllers of the same domain. If the domain controllers that are not replicating reside in two different domains, look at the trust relationship more closely.
You cannot change the machine account password by using the Active Directory Users and Computers snap-in, but you can reset the password by using the Netdom.exe tool. The Netdom.exe tool is included in the Windows Support Tools for Windows Server 2003. The Netdom.exe tool is also included in Windows Server 2008 R2 and in Windows Server 2008.
The Netdom.exe tool resets the account password on the computer locally (known as a “local secret”) and writes this change to the computer’s computer account object on a Windows domain controller that resides in the same domain. Simultaneously writing the new password to both places ensures that at least the two computers involved in the operation are synchronized, and starts Active Directory replication so that other domain controllers receive the change.
The following procedure describes how to use the netdom command to reset a machine account password. This procedure is most frequently used on domain controllers, but also applies to any Windows machine account.
You must run the tool locally, from the Windows-based computer whose password you want to change. Additionally, you must have administrative permissions locally and on the computer account’s object in Active Directory to run Netdom.exe.
Use Netdom.exe to Reset a Machine Account Password
//
- Install the Windows Server 2003 Support Tools on the domain controller whose password you want to reset. These tools are located in the Support\Tools folder on the Windows Server 2003 CD-ROM. To install these tools, right-click the Suptools.msi file in the Support\Tools folder, and then click Install.
Note This step is not necessary in Windows Server 2008 R2 and in Windows Server 2008 because the Netdom.exe tool is included in these Windows editions.
- If you want to reset the password for a Windows domain controller, you must stop the Kerberos Key Distribution Center service and set its startup type to Manual.Notes
- After you restart and verify that the password has been successfully reset, you can restart the Kerberos Key Distribution Center (KDC) service and set its startup type back to Automatic. This forces the domain controller that has the incorrect computer account password to contact another domain controller for a Kerberos ticket.
- You may have to disable the Kerberos Key Distribution Center service on all domain controllers except one. If you can, do not disable the domain controller that has the global catalog, unless it is experiencing problems.
- Remove the Kerberos ticket cache on the domain controller where you receive the errors. You can do this by restarting the computer or by using the KLIST, Kerbtest, or KerbTray tools. KLIST is included in Windows Server 2008 R2 and in Windows Server 2008. For Windows Server 2003, KLIST is available as a free download in the Windows Server 2003 Resource Kit Tools. To obtain the tools, visit the following Microsoft Web site:
- At a command prompt, type the following command:
netdom resetpwd /s:server /ud:domain\User /pd:*
A description of this command is:
- /s:server is the name of the domain controller to use for setting the machine account password. This is the server where the KDC is running.
- /ud:domain\User is the user account that makes the connection with the domain you specified in the /s parameter. This must be in domain\User format. If this parameter is omitted, the current user account is used.
- /pd:* specifies the password of the user account that is specified in the /ud parameter. Use an asterisk (*) to be prompted for the password.
For example, the local domain controller computer is Server1 and the peer Windows domain controller is Server2. If you run Netdom.exe on Server1 with the following parameters, the password is changed locally and is simultaneously written on Server2, and replication propagates the change to other domain controllers:
netdom resetpwd /s:server2 /ud:mydomain\administrator /pd:* - Restart the server whose password was changed. In this example, this is Server1.
Posted in Utility, Windows | 
Tags: active directory, domain controller, Kerberos, microsoft windows 2003, quarksoft, windows 2003, windows 2k3
Interesting feature within Windows 7
March 3, 2010
Windows users are excited over the discovery of a hidden “GodMode” feature that lets users access all of the operating system’s control panels from within a single folder. In order to enable this feature all you need to do is to create a new folder and then rename the folder to the following:
GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}
Once that is done, the folder’s icon will change to resemble a control panel and will contain dozens of control options.
I think most of these options are available elsewhere, but this provides a simple, easy-to-use method to access all of them.
How to Setup LogMeIn Secondary Users
July 28, 2009
LogMeIn is a platform that we use internally for our own computers as well as all our clients.
One of the most useful features of the LogMeIn offering is the ability to setup a secondary user to allow access to one or more computers in your account. It is pretty easy to setup this feature.
By creating Secondary Users in your LogMeIn account, you can allow remote access to one or more of your computers. Secondary Users have access only to the computers that you authorize, and you can disable their access at any time. Secondary Users can not see any details of your LogMeIn account.
To create a Secondary User, follow these steps:
- Log in to LogMeIn.com using your registered email and password.
- On the My Computers page, click the Users link on the left side of the screen. If you do not see the Users link you probably have to change your view to be “Advanced View”.
- Click the Secondary Users link at the top of the screen
- Click Add New Secondary User.
- Enter the email address for the Secondary User that you are adding to you account.
- If you don’t specifically change the permissions, the secondary user will have access to all computers in your account. However, you can select specific computers using the Specify Computers option
- Once done, click Send Invitation.
Note: Secondary Users are required to define their own password when accepting the invitation, and can change it at any time. The Secondary User will need to know the Windows Username and Password for the computer’s they have received access to. If the computers are on a domain they can probably login with their own domain logins.
Posted in Utility | Tags: David Finkelstein, logmein, quarksoft, remote access, remote technical support, secondary user, technical support
Clearing Email History Lists in Outlook
June 30, 2009
One of the great features of Outlook (but also sometimes annoying) is that it remembers all the email addresses of the people that you send email to or receive email from. This makes it really easy for composing emails except for when you get an email address that is spelled incorrectly in that list. That can be extremely frustrating.
Turns out that it is super simple to remove that email address. Just compose and email and start typing the address. When you see it appear, just use the arrows to select the one that is incorrect and press the Delete key. It will be gone forever. Quick and easy.
If you want to clear the entire email history, you can do the following:
- Exit Outlook
- Run Windows Explorer
- Navigate to the C:\Documents and Settings\username\Application Data\Microsoft\Outlook folder (substitute username with your username)
- Find the file with the NK2 extension and rename or delete it.
Posted in Outlook, Software, Utility, Windows | Tags: David Finkelstein, LLC, microsoft office, Outlook, quarksoft
Remote Desktop with Multiple Monitors / Screens
June 22, 2009
Great Script for Accessing IIS Configuration Properties
March 6, 2009
Need to extract information from IIS such as IP Addresses, Host Headers, Log Directories and lots more. This great little script from David Wang does a great job of this. It saved me hours and hours of work going through all my IIS servers manually.
Thanks David!
So what do you do with all those IIS log files?
November 19, 2008
You are responsible for one or more Windows web servers and you have all these IIS log files that you want to make some sense out of. If you have some basic SQL skills Microsoft is making available a utility called LogParser which does a great job getting in there and allowing you to query the files directly using some basic SQL syntax. The feature I like the best is the ability to convert the data into a SQL table for manipulation via T-SQL.
Here is a sample of what I did (this would all go on a single line)
c:\”program files”\”log parser 2.2″\LogParser -iCheckPoint:myCheckPoint.lpc -o:SQL -server:localhost -database:IISLogs -createtable:ON “SELECT * FROM ex0810*.log TO IISLogs”
This short command line will read in all log files that start with ex0810 and import them into a table called IISLogs. It will also create a checkpoint file so that if you run the command again it will not import records that have already been imported.
How cool is that?
Once all the importing is done you can leverage the SQL tables using whatever methods you need to.
If you need any help with stuff, send us a note at support at quarksoft.com.
Outlook 2007 Preview Pane made useful…
October 28, 2008
I finally had upgraded to Outlook 2007 about a month ago and one of the features I found myself using a lot was the Preview feature for attachments. It was great for the PDF and the typical office documents, but there were no preview handlers for files such as WAV. I have a VOIP line that emails me the voice mail messages that have been left so having a WAV previewer would be really useful for me.
During my search for such a feature I ran across a great utility from Gil Azar (and in his post gives credit to lots of others for their help). You can download the ultimate Outlook 2007 preview handler from his site.
If you are interested in some of the technical details Gil discusses them on his page and provides some really great links.
I’ve included parts of Gil’s original post just in case his site disappears one day.
A self-extracting installer, which silently installs Stephen Toub’s MSDN Magazine Managed Preview Handler Framework and Gil’s small addition, can be downloaded here
Posted in Programming, Software, Utility | Tags: Outlook 2007, Outlook Preview Handler, Outlook Preview Pane, Preview Handler
Command Line FTP Client with PASV support
September 12, 2008
I ran into a problem scheduling the transfer of a file via FTP today. The server was behind a firewall that required me to use PASV FTP support. Unfortunately the command line version of FTP that comes with Windows 2003 was not able to support this configuration (at least I could not figure out how to make it support it).
In trying to figure out a solution to this issue I ran across NcFTP. This is primarily a *nix based FTP tool (both server and client), but it has a Windows command line version of FTP that proved to be just the tool I needed. You can download the Windows version of the client or if you prefer they have lots of *nix flavors.
Easy method to download a portion of a web site
August 21, 2008
I have this client that posted several hundred files on their internal web site that I needed to download to my laptop for testing purposes. I started downloading them one by one and thought that there must be a better way without installing some big application to do this. With a little Google searching I found a great open source utility called wget that provides everything I needed from a command line (which had the added bonus of being able to easily script it).
An example of the command to recursively download a web site is shown below:
wget -l2 -r -k http://www.siteyouwanttoget.com/folder1
- The -l parameter tells the software how many levels to download (I only needed 2 levels deep in my example)
- The -r parameter tells it to download recursively
- The -k parameter tell is to convert non-relative links into relative ones so that there will not be any dependencies on the original site.
So there you have it. One simple, small 162Kb EXE that does exactly what I needed (it also does ALOT more than this). Have Fun!